Jump to content

Is it me or that SQL Injection example that's faulty?

simun

By simun
in Suggestions

 Share

Recommended Posts

simun Newbie

simun

Posted
Posted (edited)

Hi there,

 

I was just looking at the PHP INSERT INTO example at the bottom of the tutorial page http://www.w3schools.com/sql/sql_injection.asp

 

The code shown is:-

1>  $stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) VALUES (:nam, :add, :cit)");2>  $stmt->bindParam(':nam', $txtNam);3>  $stmt->bindParam(':val', $txtAdd);4>  $stmt->bindParam(':cit', $txtCit);5>  $stmt->execute();

Would this not return an error due to the mismatch between :add and :val in lines 1 and 3?

 

I'm not trying to find criticism, purely just trying to understand how to write safer code.

 

Many Thanks to all those involved in putting together and running w3school. :good:

Edited by simun

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...